Created attachment 347943 [details] Patch which only enforces SELinux policy if SELinux is run in enforcing mode Description of problem: After running into bug #506076, I switched SELinux temporarily to permissive mode to work around the problems I encountered. Still I couldn't log into GNOME (KDE, XFCE) because the system dbus-daemon checked whether applications were allowed to talk over the bus (which they weren't due to broken policy). Version-Release number of selected component (if applicable): dbus-1.2.12-1.fc11.x86_64 How reproducible: reproducible Steps to Reproduce (possibly best done in a virtual machine you can throw away later): 1. switch SELinux to permissive mode 2. cause policy to not allow apps to talk over dbus (e.g. "semodule -r unconfineduser") 3. try to log in Actual results: Can't login, get errors about SELinux policy not allowing apps to talk to each other over the bus (see below). Expected results: Only checks SELinux permissions if policy is enabled and enforced. Additional info: Here's how the problem exhibits itself in .xsession-errors: --- 8< --- imsettings information ========================== Is DBus enabled: yes Is imsettings enabled: yes Is GTK+ supported: yes Is Qt supported: no DESKTOP_SESSION: gnome DISABLE_IMSETTINGS: IMSETTINGS_DISABLE_DESKTOP_CHECK: DBUS_SESSION_BUS_ADDRESS: unix:abstract=/tmp/dbus-gjqXqJZBDQ,guid=26a2311589d8b713eb9034144a320870 GTK_IM_MODULE: QT_IM_MODULE: xim XMODIFIERS: @im=none IMSETTINGS_MODULE: none IMSETTINGS_INTEGRATE_DESKTOP: yes gnome-session[8933]: WARNING: Could not make bus activated clients aware of DISPLAY=:0.0 environment variable: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus") gnome-session[8933]: WARNING: Could not make bus activated clients aware of GNOME_DESKTOP_SESSION_ID=this-is-deprecated environment variable: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus") gnome-session[8933]: WARNING: Could not make bus activated clients aware of SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/8933,unix/unix:/tmp/.ICE-unix/8933 environment variable: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus") gnome-session[8933]: Gtk-CRITICAL: gtk_main_quit: assertion `main_loops != NULL' failed gnome-session[8933]: CRITICAL: dbus_g_proxy_new_for_name: assertion `connection != NULL' failed gnome-session[8933]: Gtk-CRITICAL: gtk_main_quit: assertion `main_loops != NULL' failed gnome-session[8933]: GLib-GObject-CRITICAL: g_object_unref: assertion `G_IS_OBJECT (object)' failed gnome-session[8933]: CRITICAL: error getting session bus: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus") gnome-session[8933]: WARNING: Unable to register presence with session bus gnome-session[8933]: CRITICAL: dbus_g_proxy_new_for_name: assertion `connection != NULL' failed GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")) GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")) gnome-session[8933]: WARNING: Error retrieving configuration key '/desktop/gnome/session/idle_delay': Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus")) gnome-session[8933]: CRITICAL: error getting session bus: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus") --- >8 ---
i just hit this bug today - very grateful to see the workaround in the description! not sure why it's hitting my clean-installed F11 system. i did a packagekit update yesterday which claimed to have 294(!) updates to install and then appeared to hang on 'installing packages' but the yum log says it completed okay and 'yum update' now says all is up to date.
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
Seems fixed in libselinux now: https://bugs.freedesktop.org/show_bug.cgi?id=21072
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping